Cybersecurity researchers at McAfee have discovered hundreds of malicious Android apps designed to steal access to people’s cryptocurrency wallets.
The researchers dubbed the campaign SpyAgent, which has so far consisted of 280 apps in total, mimicking legitimate banking apps, government service tools, TV streaming, utility apps, and more. The criminals would then host them on malicious sites and third-party app stores (never Google Play Store), and attempt to trick victims into installing them via phishing, social messaging apps, and the like.
When the victim installed the app, the malware would search through the images stored on the device and use optical character recognition (OCR) to scan the contents of the files. If it found something useful (e.g. words), it would exfiltrate the content to a cloud-hosted database, where the attackers would grab it.
Mnemonic Keys and Seed Phrases
Most cryptocurrency wallets have two layers of protection. One is a password, PIN or biometric, which is stored on the device and gives the user access to the wallet and can control it. The other is the so-called “mnemonic key” or “seed phrase” – a set of 12 or 24 random words, which allows the user to load the contents of the wallet onto a new device. The mnemonic key is a kind of backup option. If a user loses access to their phone or hardware wallet, they can get a new one, load the seed phrase and regain access to their wallet and all the currencies in it.
However, if a malicious actor gets hold of the mnemonic key, he/she can also load and empty the wallet easily. Since many people use “hot wallets” (mobile apps, basically), they also store their mnemonic keys as screenshots on their phone.
The best way to protect yourself from these apps is to only download them from controlled sources, such as the Google Play Store. For more details on malicious apps, see McAfee’s report here.